For Secure & Robust ICS

RSA Conference Report

ICS Industry Pioneer and Expert Eric Byres of ICS-Secure reports on the RSA Conference last week.

I just returned from the RSA Conference 2017 in San Francisco, after a five year hiatus. If you are not familiar with the RSA Conferences, they are one of the largest cyber security events in the world, with a reported 40,000 attendees last year.

The last time I was at the RSA Conference, I didn’t think anyone there was taking ICS security seriously, so I decided to stop attending the event. This time I was hoping that with the interest in the Industrial Internet of Things (IIoT) and all the news of proven cyber impacts on critical infrastructures (like those in the Ukraine), things would be different.

Sadly nothing has changed. The RSA Conference (RSAC) is still pretty much a waste of time for anyone concerned with either IIoT or ICS security.

RSAC 2017 looked promising at the start. Mike Assante was on the annual keynote panel “The Seven Most Dangerous New Attack Techniques, and What’s Coming Next”. You can see video of the talk here: https://youtu.be/45_ciRquXBE

But it went down hill after that with only one mainstream talk on ICS security. No tracks, no panels, no sessions… And while I didn’t attend that one talk*, the description told me enough:

This session will review key lessons learned about SCADA and IoT breaches and attacks such as Stuxnet and Mirai. We will look at the consequences of SCADA breaches and potential legal fallout, analyze two case studies, and discuss best legal and security practices. Case studies will feature two different potential attackers: a hostile nation state and aggrieved employees.

Stuxnet?? Haven’t we heard enough of that old worm? Has nothing else happened since 2010? And why is this talk in a law session run by a lawyer? I’m sure that Mr. Dietz is a fine lawyer, but if he is the only ICS expert that RSAC can find, what are they saying? Maybe the message is “Time to lawyer up boys, ‘cause there’s nothing else we can do to secure ICS”.

In fairness there were four decent ICS sessions in the RSA Sandbox, all presented by familiar faces like Clint Bodungen, Andrey Nikishin and Tom VanNorman. Unfortunately the RSA SandBox is advertised as “Full of hands-on interactive experiences to test your infosec skills…This year the Sandbox opens with RSAC’s third annual craft beer tasting event, CyBEER Ops”.

Perhaps RSAC should add; “Hey all you ICS kids… come play in the sand box where you can’t hurt yourself. Just remember don’t run and don’t throw sand at each other”. I’m sorry, but the term “sandbox” and the setup of the sandbox area just did not instill any feeling that RSAC managment team thinks ICS security is important.

On the show floor the situation was equally sad. Out of the several hundred booths I visited, I only found four with staff that could talk intelligently about ICS or IIoT issues. Now I’m sure I missed a few booths, but RSAC didn’t make it easy to find ICS security vendors. On the RSA 2017 web site there are over 100 possible search keywords and 20 core topics, covering everything from ”Access Control” and “Anti-Spam” to “Zero Day Vulnerability”. Everything that is except the terms ICS, SCADA, or IIoT security. Those terms were conspicuously absent from the 120 search choices RSAC offered.

So would I recommend the RSA Conference to the ICS security community? Maybe if you want to meet up with colleagues – I had many productive face-to-face meetings with clients, potential partners and old friends. But if you want to see new ICS security technologies or listen to talks on the state of the art in IIoT security, go somewhere else. Dale Peterson’s S4 events the SANS ICS Summit, the ICSJWG meetings and the ARC Forum are far better ways to spend your time and money. And you can still meet your friends there too.

Will I be back in 2018? Maybe, but only for the face-to-face meetings. Instead I will be heading to the SANS ICS Summit in Orlando, March 19-21. Hope to see you there.

*In the interests of full disclosure, I didn’t buy a full conference pass, so there might have been things I missed – but I doubt it. And I didn’t manage to visit every booth in the show. With over 650 exhibitors this year, I doubt anyone did. But I did struggle through every line of the exhibitors list and didn’t see any ICS-related vendors, except arguably my old friends at Belden. Unfortunately they were advertised only as TripWire, with no mention of ICS security in their show description.

Comments

Thanks for the update, Eric and Dale. I wasn’t there but had some friends and colleagues that were and shared a few additional observations that I took note of:

1.) Several ICS product vendors were there in “unofficial capacity” (i.e., no booth but still meeting with potential clients)

2.) Speaking of potential clients, there were ICS security decision makers there, though perhaps fewer than what you would hope given the overall attendance numbers

3.) With ICS security coming into the ‘mainstream’ and under the purview of many CISO’s, it seems like there would be more of a demand for the topic at this type of event but I think it’s just hard given the sheer volume of topics and vendors

Pretty accurate review overall, Eric/Dale. I would like to add that Matt Cowell from 3TI was also part of a great ICS presentation along with Tom. I think one of the issues is that, from what I understand, Tom has had to transport his “ICS Wall” equipment out of pocket. That’s a lot of equipment and a significant cost. Maybe if more of us in the community would come together with equipment, funding, people, etc. to share in the cost and effort, and create a cohesive system, we could help improve the experience at these “villages”?

Jason’s comment that there were a number of senior ICS security decision makers at RSAC this year is spot on. I met with a several and for that reason, the show was worth my travelling there.

My complaint with RSAC isn’t about the interest in ICS by the attendees. Rather my complaint is that the RSAC management seems to stick ICS in the basement and forget about it. I know lots of good ICS speakers who submitted talks to RSAC, but not one was accepted (outside of the Sandbox).

Bottom line is RSAC is an effective, but very expensive way to meet with people (especially people you already know so you can text them to arrange a meeting). I just wish there was an interesting mainstream talk on ICS I could attend when I had open time between meetings. Or a way to search the 600+ exhibitors to find booths with an ICS capability. Right now both are lacking at RSAC.

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.